No need to set a listener password in ORACLE 10G

 

        的監聽器一直以來都存在一個嚴重的安全問題，那就是：
如果不設定安全措施-監聽加密，那麼能夠訪問的使用者就可以遠端關閉監聽器。所以在10g以前，對listener加密是可以防止遠端關閉監聽的，但是到了10g，預設已經對遠端使用者進行了安全加固，遠端使用者不可以關閉server端的監聽。

In this Document
  
  

---

Applies to:

Oracle Net Services
Information in this document applies to any platform.
Checked for relevance on 8-OCT-2009.

Goal

How to set a password for 10g and newer listeners leaving the default OS authentication mechanism in place.

In Oracle 10g and newer versions of the listener, the listener is secure out of the box. There should be no need to set a listener password to prohibit privileged LSNRCTL commands from being executed.

Beginning with version 10g, the listener now uses local OS authentication. As long as one runs LSNRCTL privileged commands (stop, status, etc) as the same user who started the listener, that user will be able to fully administer the running listener without providing a password.


This security feature is enabled by default and can be identified at listener
startup, or when issuing a LSNRCTL STATUS command, by the following output:

Security ON: Local OS Authentication

If the TNSListener is started as the "oracle" user and the user "sales" attempts
to administer the listener, or if "oracle" on a different node attempts to
administer the listener, the following error will be returned:

TNS-01190: The user is not authorized to execute the requested listener command

Solution

A secondary user is able to administer the listener if a listener password is
set and the secondary user knows the password. In this example, "oracle" will
set an encrypted password for the listener and the user "sales" will stop the
listener.

 

參考文獻：

1. Setting Listener Passwords With an Oracle 10g or Newer Listener [ID 260986.1]

2.  http://space.itpub.net/9252210/viewspace-558106